1. Field of the Invention
The present invention relates generally to a communication restricting method in an Ethernet switch, and in particular, to a communication restricting method in which access is controlled on a data link layer 2 by designating a particular terminal as a server and some nodes as communicable with the server terminal using MAC (Media Access Control) addresses.
2. Description of the Related Art
Worldwide communication is accomplished by an ISO standard referred to as OSI (Open System Interconnection) that defines a networking framework for implementing protocols in seven layers: Application Layer 7; Presentation Layer 6; Session Layer 5; Transport Layer 4; Network Layer 3; Data Link Layer 2; and Physical Layer 1. Control is passed from one layer to the next, starting at the application layer 7 in one station, proceeding to the bottom layer over a communication path (channel) to a next station and back up the hierarchy.
Data link control (DLC) is performed by the second lowest layer, data link layer 2, in the hierarchy. Every network interface card (NIC) has a DLC address or DLC identifier (DLCI) that uniquely identifies a node on the network. Some network protocols, such as Ethernet, use the DLC addresses exclusively. The data link layer 2 comprises two sublayers, a logical link control (LLC) layer and media access control (MAC) layer.
A MAC address is a hardware address that uniquely identifies each node of a network. The MAC layer interfaces directly with the network media. Consequently, each different type of network media requires a different MAC layer.
A common connection point for devices in a network is a hub, commonly used to connect segments of a LAN (Local Area Network). A hub contains multiple ports. When a packet arrives at one port, it is copied to the other ports so that all segments of the LAN see all packets. To improve performance and increase bandwidth, the hub has given way to switching hubs or port-switching hubs that forward packets to an appropriate port based on the packets address. Some newer switching hubs support both Ethernet (10 Mpbs) and Fast Ethernet (100 Mbps) ports. The Ethernet is a LAN protocol.
An Ethernet switch can efficiently transfer a plurality of packets from an Ethernet segment to another segment, thereby decreasing traffic over a network. By connecting a plurality of terminals to a plurality of ports of an Ethernet switch, data communication is conducted without contention on a LAN (Local Area Network) and a host terminal is designated among the plurality of terminals to store important information.
A switched Ethernet is defined as an Ethernet LAN that uses switches to connect individual hosts or segments. In the case of individual hosts, the switch replaces a repeater and effectively gives the device full 10 Mbps bandwidth (or 100 Mbps for Fast Ethernet) to the rest of the network. This type of network is sometimes called a desktop switched Ethernet. In the case of segments, the hub is replaced with a switching hub. Traditional Ethernets, in which all hosts are connected to the same bus and compete with one another for the same bandwidth, are called shared Ethernets.
Switched Ethernets are becoming very popular because they are an effective and convenient way to extend the bandwidth of existing Ethernets. That is, a switched Ethernet has one or more direct, point-to-point connections between hosts or segments. Devices connected to the Ethernet switch do not compete with each other and therefore have dedicated bandwidth.
To protect server nodes connected to the Ethernet switch against hacking, a workstation is connected to the Ethernet switch, a firewall is provided to the workstation, IP (Internet Protocol) addresses are registered in the firewall, and the server terminal is connected to the workstation.
A firewall is a system implemented by hardware and/or software to prevent unauthorized access to or from a private network, and are frequently used to prevent unauthorized Internet users (hackers) from accessing private networks connected to the Internet, especially intranets.
When an external client terminal tries to access the server terminal, a path is connected between the external client terminal and the server terminal only when the IP address of the external terminal is registered.
There are several types of known firewall techniques, one of which uses packet filtering. Packet filtering controls access to a network by analyzing the incoming and outgoing packets and letting them pass or halting them based in the source and destination IP addresses. The security function of packet filtering as a firewall technique is susceptible to attacks by hackers using a hacking technique called IP spoofing, wherein, forged IP source addresses are used to circumvent a firewall. That is, an attacking node uses an IP source address of a “trusted” node to try to get past a firewall of a target server.
Thus, the packet appears to have come from inside the protected network and to be eligible for forwarding into the network. Consequently, access security to the information stored in the server terminal is not guaranteed.
Security for computers connected to a network is discussed in the following patents, incorporated-by-reference: U.S. Pat. No. 5,919,257 to Jonathan Trostle entitled Network Workstation Intrusion Detection System; U.S. Pat. No. 5,958,053 to John S. Denker entitled Communications Protocol With Improved Security; U.S. Pat. No. 6,067,620 to James M. Holden et al. entitled Stand Alone Security Device For Computer Networks; U.S. Pat. No. 6,131,163 to Scott L. Wiegel entitled Network Gateway Mechanism Having A Protocol Stack Proxy; and U.S. Pat. No. 6,167,052 to Thomas G. McNeill et al. entitled Establishing connectivity In Networks.